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ADMINISTRATIVE - INTERNAL USE ONLY 


ODP-83-675 
May 10, 1983 


MEMORANDUM FOR: Chief, Information Systems Security Group, 

Office of Security, DDA 

Chief, Systems Group, 

Information Management Staff, DDO 


UIA Kepresentative, 

CIRS Management Group 

SUBJECT: Proposed Work Statement for Support of CIRS 

Security Working Group 

REFERENCE: A. Task III, Work Statement for Support of CIRS 

Computer Security Working Group, 
dated 4 May 1983 

B. Proposed Tasking Statement for CIRS Security 
Working Group, dated 12 January 1983 


1. Attached you will find copies of references A and B for y 
STAT During the CIRS Management Group (CMG) meeting of 5 May 1983 

STAT I ^Chairman, CMG, submitted reference A for approval. 

tnat I was not in a position to approve this statement without consultation with 
the appropriate Agency components. In addition, I felt that reference B 
should be more general in nature. 


2. I withheld approval of reference A, pending further Agency review 
and coordination, for the following reasons: 

o The word "Computer" should be deleted from the title since the 
name of the group is properly the "CIRS Security Working 
Group". The intent here is not to limit working group purview 
to computer security issues but rather to include all aspects 
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which may bear on CIRS security. 

o Without concurrence from the responsible Agency components, I 
could not approve a proposal permitting the CIRS support 

contractor, MITRE Corp., access to Agency resources for the 
purpose of evaluating the security policies and procedures of CIA 
computer systems and networks. The proposal calls for the 
contractor to "evaluate the security features ... including 
software, hardware, procedures, physical, personnel clearance 
procedures, TEMPEST, and COMSEC."; 

o Without concurrence from the responsible Agency components, I 
could not approve a proposal permitting the CIRS support 

contractor to review and evaluate the RECON GUARD project; and 

o The proposal should be changed to call for the production of a 

CIRS Requirements/Policy Document rather than a security plan; 
we should determine where we want to go before we draw up a 
plan detailing how to get there. 


3. I also, feel that reference B, which I have not approved, is too 
specific. The tasking statement should be presented in terms of a general 
objective, leaving the details of how to accomplish it up to the Security 
Working Group. 


4. It is important that we proceed in concert on these issues and that 
the CIRS Security Working Group (CSWG) have a broad tasking statement to 
allow it to properly develop a CIRS Security Requirements/Policy Document. I 
look to the CSWG to develop such a document and the CIA CSWG 
representatives to formulate and present the Agency position on this vital 
issue. Accordingly, I will propose to the CMG that: 

o The word "Computer" in the title of reference A be deleted; 

o The specifics of reference A be left up to the members of the 
CSWG; and 

o Reference B be reworded to provide a broad tasking statement to 
include the production of a CIRS Security Requirements/Policy 
Document. This document will serve as the basis for the 
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development of satisfactory CIRS security controls and 
procedures. 


5. Should you feel that the positions on reference A and B, as 
presented above, should be altered or have any questions or comments 



cc: 


D/ODP^ 

C/MS/ODP 

C/ISG/OCR/DDI 

C/INT/PCS/DDO 

C/PATG/ORD/DDS&T 


Att : a/ s 
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4 May 1983 


Task III 

Work Statement for Support of CIRS 
Computer Security Working Group 


The contractor will work in support of the 90ver«ent sponsored CIRS 

Computer Security Working Group to «''»'"J‘%’^''®„|rsOLIS/WINOHia, FTO CIRC, 
orocedures of the five computer systems (i.e., tt and 

?rr,ndl!A SAFE, and new NPIC NOS) and "etworks (. e TveriLSt 
OOOIIS) that will be used in accordance tJ: f“e systems and 

representatives who are responsible for the security . J. Meetings 

the'eJ“i.?ion*'’crUeHr«Ublished by the OOD Computer Security 

?entI?’lnS'rher.ppnipri ate evaluation methodologies to prov^^^^^^^ 

assessment of each of the components. The CIRS plan calls ^ . Security 

task: 

Subtasks I - Documentation Revie w and Evaluation Criteria Devel oi 

i^1 S"xi0^n6!"oD'Dirtcti«'’520o!'2r,’oirMOT5a750%rDOD'’c^ter 

Security Evaluation Eentet ''j’‘®^J’’„5n”LeiSp”va1uatioS’ *" 

S;?Jrms rcr^ts V rev^^ 

»^«"eroffhe task. 

.. .m M 

Subtask II - Review and E valuate Securit 
Systems 

as password protection, ^°"^’’°jj^g^^Qntractor will* focus on the security 

;ru:::“‘s:rb;"e5Js - r sra^VSa^^^ " 

eventually the possible inclusion of 6 materials. 
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Subtask III - Review and Evaluate RECON Guard Approach ar^d Other New Featur es 

The contractor will review the current progress 
approach, the DIA fingerprint matrix identifier. SLACKER. DIN VI. and other 
new security facilities to assess their possible use in 
effort. Such an assessment will include a technical ®^!®” ® 

as a cost evaluation for the use of these features. These 
documented in the form of memoranda within the third month of the co 

effort . 

Subtask IV - Develop Proposed Security Standa r ds for Overall CIRS Operations 

The contractor shall use all the previous analyses Ity 

security standards for processing under the CIRS plan. These ^ 

standards will be documented in a draft CIRS Security Plan that will include 
the Identification of enhancenents vihi^ «st be made to each 
rnmnnnents in order to achieve these standards. This initial plan win a'^o 
include resource estimates and identify milestone dates for the enhance^nt ofj 
ITcltf fSe^HRS «.,H.nents. This initial CIRS ‘ 

completed within seven months from the initiation this task. Up 
and possible modification by the government, this plan wil be revised at a 
future date under a separate task effort. 


Length of Task ; Seven months from initiation of the task 
Resources: Approximately 5.0 man-months of effort. 


Deliverables : 

a. Subtask I - Memorandum for the record providing evaluation 
criteria for review and approval by working group. 

b. Subtask II - Memoranda on the evaluation of each of the component 
systems. 

c. Subtask 111 - Memoranda on RECON GUARD and other specialized 
security features. 


d. Subtask IV - Final written report and briefing which summarize 
all previous efforts and presents the contractor s propose 
initlul CIRS Security Plan vd.ich will be reviewed and approved by 
the CIRS Computer Security Working Group and the full IHC. 


e. Monthly status reports. 


Travel Requirement : 

a. Local travel. 

b. One two-day trip to Dayton. Ohio, to visit the FTD facility. 
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Clearance Required : 

a. Personnel 

0 Agency TS/SI/TK/ 6 AMMA with CIA polygraph for professionals 
working directly on effort. 

0 Agency TS/SI/TK for admin personnel involved with the effort 

b. Contractor Facility 

0 Facility clearance for storage of TS/SI/TK materials. 
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Attachment 5 
12 January 1983 


PROPOSED TASKING STATE1CNT FOR 
CIRS SECURITY WORKING GROUP 


The CIRS Security Working Group will include agency/component 
representatives who are responsible for the security policies and procedures 
of computer systems and networks to be used in accordance with the CIRS 
plan. This working group will be supported by contractor/consultants and be 
tasked to do the following: 

0 Review current security procedures of existing automated systems/data 
communications networks which will provide processing services under 
the CIRS plan highlighting variations in hardware, software, and 
procedural approaches (e.g., password protection, host control access 
procedures, terminal identifiers) . 

0 Review future security procedures to be incorporated in 

systems/networks such as SAFE, COINS, and the DODIIS DIN VI model as 
well as any future changes to security in current processors. 

0 Concentrate on security features and procedures for the protection of 
ORCON, "G” materials, EXDIS, and LIMDIS identifying how current 
systems are controlling access and how CIA and DIA SAFE will handle 
these materials in the future. 

0 Review the status and future potential of the RECON GUARD approach 
and assess its capability to be used as a feature for some or all of 
CIRS processors. 

0 Assisted by the IHC staff and contractor/consultants, develop a 
preliminary and final security plan for the overall CIRS effort 
incorporating minimum security features that each host and network 
must maintain in order to provide the specified services under the 
CIRS plan. Identify by system/network what enhancements must be made 
by milestone date in order to process the "generally available data" 
as well as the more highly sensitive material (i.e., "G" material). 

0 Assist in the development, review and approval of a preliminary 
security plan by 1 September 1983 to be briefed to the IHC and 
updated on a quarterly basis. 


Sanitized Copy Approved for Release 2010/07/15 : CIA-RDP85-00142R0001001 10001-0 



